-
Notifications
You must be signed in to change notification settings - Fork 448
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set MYSQL_ROOT_PASSWORD via Secret #253
Set MYSQL_ROOT_PASSWORD via Secret #253
Conversation
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here (e.g. What to do if you already signed the CLAIndividual signers
Corporate signers
|
Hi @lkpdn. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
scripts/deploy.sh
Outdated
|
||
# Generate Secret with dynamically initialized data, so as to keep Go codebase | ||
# simple as possible i.e., without client-go ClientSet. | ||
cat <<EOF | kubectl create -f - |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please create a db-secret.yml not generating a key in deploy.sh.
The deploy.sh should be a simple support script.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the comment. If we still keep the password randomised as my original patch does, I may choose either of:
- (1). make it as a go template, add a lightweight cli tool to do
template.Execute()
- (2). choose a popular template engine, such as jinja2
Does the option (1) sound ok to you? If I misunderstood your point, please correct me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really need to randomize?
Why not to make secret manifest and set a default password. Then users will edit it when they need.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be honest, I don't have any strong intention for randomization. I'll remove randomisation then push a commit tomorrow. The PR diff should be very simple and small one. Thanks. :)
To googlebot, abt. CLA: |
CLAs look good, thanks! |
Signed-off-by: Koichiro Den <den@valinux.co.jp>
@YujiOshima please take another look. |
@lkpdn Thank you! It gets simple! |
name: vizier-db-secrets | ||
namespace: katib | ||
data: | ||
MYSQL_ROOT_PASSWORD: test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should take a "secure by default" approach and the value should be randomized, while its implementation can be a bit messy. Also it has to be initialized before the mysql pod starts up.
At least there should be an issue so that we don't forget to randomize before GA. ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO editing manifest for the secret before running deploy.sh seems not much burden.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To do that, users must be aware of the secret.yaml file. Randomization must happen automatically or the majority of deployments would be in an insecure state.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with your point "secure by default". How about dynamically generating manifests when executing ./scripts/build.sh
, or introduce a new script, e.g. ./scripts/generate-manifests.sh
? Other projects tend to have users do that sort of thing, such as $ make manifests
. I think it's much better than doing it in ./scripts/deploy.sh
I'm just guessing but the test failure seems not relating to this PR. Looking into it... |
/retest |
Fixes: 5312459 ("Set randomly generated MYSQL_ROOT_PASSWORD via Secret") Signed-off-by: Koichiro Den <den@valinux.co.jp>
f1ed1c1
to
b533db5
Compare
Great! Thank you! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: YujiOshima The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks for reviewing. |
Commit b6f8e07 ("Update manifests (kubeflow#246)") has just changed the namespace as a whole. This new manifest should be updated as well. Fixes: 67e94c7 ("Set MYSQL_ROOT_PASSWORD via Secret (kubeflow#253)") Signed-off-by: Koichiro Den <den@valinux.co.jp>
Fixes: 67e94c7 ("Set MYSQL_ROOT_PASSWORD via Secret (kubeflow#253)") Signed-off-by: Koichiro Den <den@valinux.co.jp>
Fixes: 67e94c7 ("Set MYSQL_ROOT_PASSWORD via Secret (kubeflow#253)") Signed-off-by: Koichiro Den <den@valinux.co.jp>
* Add readinessProbe for vizier-db Signed-off-by: Koichiro Den <den@valinux.co.jp> * Fix MYSQL_ROOT_PASSWORD Fixes: 67e94c7 ("Set MYSQL_ROOT_PASSWORD via Secret (#253)") Signed-off-by: Koichiro Den <den@valinux.co.jp> * Add simple loop to wait for DB connection successfully opened Signed-off-by: Koichiro Den <den@valinux.co.jp>
For security reasons, we better to (a). factor out hard-coded mysql root password and use Secret instead + (b). set dynamically generated random password.
This change is